CSIA PROJECT 1

BYSTANDER

CSIAPROJECT1STUDENTSAMPLE.pdf

Home >Computer Science homework help >CSIA PROJECT 1

Final Project – Sifers-Grayson Incident Response Exercise

Roderick Barker

October 14, 2018

This study source was downloaded by 100000766134782 from CourseHero.com on 05-16-2022 15:35:11 GMT -05:00

https://www.coursehero.com/file/34738142/CSIA-FinalProjectdocx/

SIFERS-GRAYSON CYBERSECURITY INCIDENT REPORT FORM

1. Contact Information for the Incident Reporter and Handler

– Roderick Barker

– Cybersecurity Incident Response Team Leader

– Organizational unit: Information Technology Department Head at Sifers-Grayson Corp., Blue Team member

– [email protected]

– 606-331-8098

– Location: 1555 Pine Knob Trail, Pine Knob, KY 42721

2. Incident Details

– Status change date/timestamps (including time zone): Official start time of the attack is still unclear. The incident was uncovered when the system became sluggish due to high traffic and drone “malfunctions”. The incident at this point has been traced back to an unauthorized IP address.

– Location: Pine Knob, KY (42721)

– Status of the incident: The attack has ended

– Source/cause of the incident: The source of the attack was from the IP address of 11.123.26.193, there was no hostname associated. The cause was to steal any and all valuable information.

– Description of the incident: The attack was detected when the system became unusable from the high traffic levels in the latency. The logging information from a server running Task Manager provided the evidence.

– Description of affected resources: The overall is still fully operational. The R&D Center servers have been compromised (IP Address 10.10.120.0) and 100% of documentation and codes have been stolen. The test range network (IP Address 10.10.128.0) has been compromised, AX10 drone has been “stolen” from the company and flown from the designated site.

– If known, incident category, vectors of attack associated with the incident, and indicators related to the incident: Not available at this time.

– Prioritization factors: During the attacks, the network and system became slow due to high traffic volumes. After the attacks finished the system and network went back to normal functionality.

– Mitigating factors: Hacked servers lead to 100% stolen design documents and code for the drone, 20% of employee passwords stolen from key logging software, malware downloaded due to stolen logins, malware affecting PROM lead to “stolen” drone

– Response actions performed: The system was turned off after the attack finished. All activities that occurred on the network were logged for forensic evidence.

This study source was downloaded by 100000766134782 from CourseHero.com on 05-16-2022 15:35:11 GMT -05:00

https://www.coursehero.com/file/34738142/CSIA-FinalProjectdocx/

– Other organizations contacted: N/A

3. Cause of the Incident: (e.g., misconfigured application, unpatched host)

The incident was caused to a string of unsecured access points, improper handling of devices, and lack of overall network security. Poor security of user logins allowed for access to secure parts of the network and secure areas. Employee’s improper handling of unknown plug-in device allowed for viruses and malware on to systems, then the network. Employees allowing unknown persons into secure areas allowed for possible physical hacking. With no security measures to read for malware and viruses, attackers were able to hack items like the AX10 Drone.

4. Cost of the Incident:

The total cost has yet to be completely determined. The user accounts, coding for the AX10 drone, and documentation are almost priceless. The price of any damaged equipment is still being totaled. Projected timetables and costs show that it would be about 200 hours for the IT staff to perform a “clean-up” of the network. In pay, this is about 100 dollars per hour. The estimated grand total is somewhere in the 20,000 dollars range.

5. Business Impact of the Incident:

The impact of this incident is very significant. This will help Sifers-Grayson set the necessary security measures it needs to operate smoothly and avoid future incidents.

6. General Comments :

The test pointed out many of the security issues Sifers-Grayson faced. Below will be an overview of the incident, an analysis of some of the key issues, and then what tools to implement and secure the network.

Background Overview

Sifers-Grayson hired an outside company to perform a test of the network for its security. The test consisted of penetrating the network and give a full report on any vulnerabilities that were found. With weeks of constantly testing any exploits, the test team (Red Team) was able to successfully get into Sifers-Grayson network and exploit a list of unsecured connections. The current contracts that the company holds through government agencies, the Department of Defense requires the companies to have more security in their Research and Development and SCADA lab operations. Both of these labs hold classified and secret information. These were locations the Red Team were able to enter and steal information from.

This study source was downloaded by 100000766134782 from CourseHero.com on 05-16-2022 15:35:11 GMT -05:00

https://www.coursehero.com/file/34738142/CSIA-FinalProjectdocx/

Due to the parameters of the contracts and standards. Sifers-Grayson now must follow the NIST publications for adequate protection of unclassified information. This is required for the information to be stored in Nonfederal information systems and organizations. With these regulations any failure to follow them could result in heavy fines or contract termination, contract termination makes it hard for companies to get contracts after.

Sifers-Grayson using the Defense Federal Acquisition Regulations as an outline for their incident reporting will benefit the security and integrity of the company. Identifying any possible risks to the network and systems before the “enemy” does is a plus. Using the outline and information in the given documents will make providing security easier. The given analysis will provide tools and recommendations for providing a safeguard for the information for the company.

Incident Analysis

Based on the current topology of the internet connection for the Research and Development (R&D) servers, they are connected to a Wireless Access Point (WAP) through two different wired connections. Both connections are buried, the first connection is fiber optic straight to the R&D center. The other is copper cabling that has a protective firewall that then leads to the center.

The testing team (Red Team) was able to gain access to the network through the engineer’s R&D center server. The Red Team used hacked in through unprotected network connections. There are a few possibilities on how the hacking could have been done. The wireless router could have been hacked or the network cables could have been rerouted to a rogue router to allow access. The unsecured network connections make it easy to pick up the network traffic and allow for it to be monitored. It also makes a path for the attacker to see any information stored on any of the systems in the network. It is easy for an attacker to get a form of monitoring software that allows them to attach to unsecured networks and collect a wide array of information. The attacker could gain usernames, passwords, personal information, and much more.

With government contracts, most if not all information that is stored is secret or confidential in some way. Companies with these types of contracts and data need the utmost security. For the current internet connection, Sifers-Grayson should adopt WPA2 encryption with a form of protection like AES. “This is the most secure option. It uses WPA2, the latest Wi-Fi encryption standard, and the latest AES encryption protocol.” (Hoffman, 2017). WPA2 encryption and AES protection are some of the hardest forms of protection to crack, even having the usual hacking tools will not help.

Another security measure that should be implemented is the Microsoft Active Directory. It would benefit the topology that is already in place and boosts the security for

This study source was downloaded by 100000766134782 from CourseHero.com on 05-16-2022 15:35:11 GMT -05:00

https://www.coursehero.com/file/34738142/CSIA-FinalProjectdocx/

devices and users. Like most companies, Sifers-Grayson has multiple devices and users who access the network at different times and for different reasons. The Active Directory will allow the resources that the company has to be better articulated.

The features the AD can implement will not just secure the systems and network, but will also help protect the users. The function of Domain Services will be to keep from any unauthorized access to the network. The information stored in the DS is devices, members of the domain, users, user rights associated with their account, and it can verify the credentials of users. The AD also implements certificate services. This allows for the ability of creation, validation and revoking of any public key certificates that are created. These certificates help with validating data from the devices user access information. Making sure that any data that gets put into the system and network deserves to be there.

The last function that makes using the AD worthwhile is the Active Directory Rights Management Services (ADRMS). This function works for both intruders and employees when trying to obtain access to unauthorized documents, web pages, emails, or files. This sets up even more encryption and uses selective denial for limiting who has access to these objects. The ADRMS also does the decryption with use of the certificates the user has, so if they do not have the correct “code” they cannot gain access. With having user privilege parameters defined in the Active Directory, the user can only have access to points in the network that they are granted to like the domains made for their departments. Since the Red Team was able to gain access through the unsecured network connections, they were able to get instant access to the servers and other parts of the network. Had the Active Directory been installed and in full use, the Red Team would not have had any access to the servers in other domains. Using the principle of least privilege, users are assigned the rights and access to domains that they are required for work. They can only access those points and nothing further. If a device or account is hacked and do not have the rights defined, they will not be able to access the network.

Another major issue that was faced in the test phase was the Red Team’s ability to crack into users accounts. Due to employees picking up unknown USB devices and plugging them into their devices the Red Team was able to get key logging software on to the network. This software was able to log all the user credentials and give the Red Team access to the account. There are a number of ways to fix this issue, the two easiest ways to fix this are training and company mandated devices.

One of the easiest and fastest ways to keep this issue from happening again at Sifers-Grayson is proper training of all staff members from the IT department. Teaching employees all the possible vectors from where and how an attack could occur is key. Employees should also be taught about common issues such as downloading suspicious files, plugging in unauthorized or unknown devices, phishing schemes, and physical security such as the piggybacking issue. Keeping employees up to date on all the

This study source was downloaded by 100000766134782 from CourseHero.com on 05-16-2022 15:35:11 GMT -05:00

https://www.coursehero.com/file/34738142/CSIA-FinalProjectdocx/

information will help keep the company safe. The option of only allowing devices like USB’s from Sifers-Grayson is another option. This would ensure that harmful devices never find a way on to the devices of the company. Most Department of Defense environments supply the devices and that requests to get the devices needs to be made. This is a sure way to keep the network secure. This will also make watching over the network faster and easier.

C.E.R (Containment, Eradication, and Recovery) Briefing:

When the discovery was made of stolen user login credentials, it was also discovered that malware had been installed from the DevOps department. Since the network connections in this department was left unsecured, it made it easy for the Red Team to install the malware without raising any alarms or flags. Since malware is constantly changing and becoming harder to detect, new technologies have to be made to counter them.

The easiest way Sifers-Grayson would have been protected was by implementing an IPS and IDS. An Intrusion Prevention System and Intrusion Detection System would have alerted the IT staff of the malware installation. The IPS “is a device that controls access to IT networks in order to protect systems from attack and abuse. It is designed to inspect attack data and take the corresponding action, blocking it as it is developing and before it succeeds, creating a series of rules in the corporate firewall.” (Panda, n.d.). This tool would have made sourcing the unsecured networks easier. It would have also prevented the Red Team from successfully installing malicious software. The IDS “provides the network with a level of preventive security against any suspicious activity. The IDS achieves this objective through early warnings aimed at systems administrators.” (Panda, n.d.). The IDS does not prevent the attacks, but it does log all the successful and unsuccessful entrances to the network. For Sifers-Grayson the threat would have been thwarted earlier if an IPS and IDS had been installed and active. The IDS would have logged the activity and the IPS would have kept the malware from being installed. This would have made notes for the IT department to view and fix the vulnerability. An adequate IPS and IDS need to be implemented on to the network as soon as possible.

The final threat and issue that needs to be handled by Sifers-Grayson is a backup file system. After two previous ransomware attacks, all files, documents, and other important information should have backups in case of another security threat. Microsoft offers the ability to save and create file backups. The ability to backup files needs to be added to all servers in the company, this is one way to ensure that there is no level of loss. Backups can be made of files, folders, and the state of the system. If the system were to go down or be attacked the snapshots would allow for a new device or “save” could be implemented and bring everything back. Backups should be done on weekends and non-

This study source was downloaded by 100000766134782 from CourseHero.com on 05-16-2022 15:35:11 GMT -05:00

https://www.coursehero.com/file/34738142/CSIA-FinalProjectdocx/

working hours to ensure that the network is clear for use. Backups can be scheduled or instantaneous depending on the users and the rules set.

This study source was downloaded by 100000766134782 from CourseHero.com on 05-16-2022 15:35:11 GMT -05:00

https://www.coursehero.com/file/34738142/CSIA-FinalProjectdocx/

Reference:

Hoffman, C. (2017, July 20). Wi-Fi Security: Should You Use WPA2-AES, WPA2-TKIP, or Both? Retrieved from https://www.howtogeek.com/204697/wi-fi-security-should-you-use-wpa2- aes-wpa2-tkip-or-both/

Panda. (n.d.). What is the difference between an IDS and an IPS? Retrieved from https://www.pandasecurity.com/usa/support/card?id=31463

This study source was downloaded by 100000766134782 from CourseHero.com on 05-16-2022 15:35:11 GMT -05:00

https://www.coursehero.com/file/34738142/CSIA-FinalProjectdocx/ Powered by TCPDF (www.tcpdf.org)

https://www.coursehero.com/file/34738142/CSIA-FinalProjectdocx/

http://www.tcpdf.org